1. Field of the Invention
This invention is related to computer networking, and, more particularly, to compliancy mechanisms in secure managed networks.
2. Description of the Related Art
Conventional compliancy mechanisms in secure managed networks typically rely on a trusted server or servers to manage policy and validate clients (nodes) before allowing the clients access to the network. FIG. 1 illustrates a conventional compliancy mechanism in an exemplary secure managed network. One or more compliancy servers 104 may reside within the scope of a secure managed network 102. A client 106, such as client 106A, that desires to access or join the network 102 may first communicate with one or more of servers 104. In at least some cases, the client 106A's health may be validated before admission to the network is granted. Validating the health of a client 106 may include, but is not limited to, validating that the client has at least the minimally required software, data, and/or hardware installed to meet the security and admission requirements of the network 102. For example, network administration may specify that all clients 106 have at least specific versions of anti-spyware, anti-virus, anti-malware, and other protective/security software installed. As other examples, clients may be required to have specific firewalls, specific policies in place, and/or up-to-date definitions for various security software such as anti-virus or anti-malware software. Other aspects of health validation may include validating what kind of ports are installed and what kind of traffic is allowed through a client-level firewall.
If the client 106A passes the health validation, in some implementations the client may be granted a “health certificate” that may then be presented to a server 104, which may, based on the health certificate, admit the client 106A to the secure managed network 102. Admission to the network may include, but is not limited to, one or more of assigning secure managed network-specific address(es) to the client 106A, and issuing certificates, keys, passwords, or other security information to the client 106A. If the client 106A fails the health validation, then the client 106A may be “remedied” by obtaining a package of the needed updates or installs to bring the client's health up to specification from the server(s) 104. After installing the downloaded package, the client 106A may then seek to again have its health validated by server(s) 104. If successful, the client 106A may then seek admission to the network 102 from server(s) 104. Note that a client 106 whose health has been validated may be referred to as a “trusted” client. Once admitted to the secure managed network 102, a client 106A may communicate with one or more other clients 106 and/or one or more other devices 108 within the scope of the network 102.
Note that an admitted (or trusted) client 106, such as client 106A, may access server(s) 104 to obtain access to a global network 100, e.g. the Internet, via networking device(s) 108, such as routers. Obtaining access to the global network 100 may include, but is not limited to, one or more of assigning global network address(es) to the client 106A and issuing certificates, keys, passwords, or other security information to the client.
FIG. 2 illustrates a conventional compliancy mechanism using multiple servers with different functions in an exemplary secure managed network. FIG. 2 is essentially the same as FIG. 1, except that admission control is performed by an admission control server 110, health validation is performed by a health validation server 112, and health remediation is performed by a remediation server 114. In some implementations, admission control server may be a Dynamic Host Configuration Protocol (DHCP) server. Note that there may be one or more instances of each type of server. This example shows client 106C going through the compliancy process with the various servers in an attempt to gain admission to secure managed network 102.
IPv6
IPv6 (Internet Protocol Version 6) is the latest level of the Internet Protocol (IP) and is included as part of IP support in many products including the major computer operating systems. Formally, IPv6 is a set of specifications from the Internet Engineering Task Force (IETF). IPv6 was designed as an evolutionary set of improvements to IP Version 4. Network hosts and intermediate nodes with either IPv4 or IPv6 can handle packets formatted for either level of the Internet Protocol. An improvement in IPv6 over the IPv4 is that IP addresses are lengthened from 32 bits to 128 bits. IPv6 describes rules for three types of addressing: unicast (one host to one other host), anycast (one host to the nearest of multiple hosts), and multicast (one host to multiple hosts).
IPv6 introduces the concept of scopes (e.g., link-local, site-local and global). Site-local has the scope of an entire site, or organization. The scopes introduced by IPv6 allow addressing within an organization without the need for using a public prefix. Routers forward datagrams using site-local addresses within the site, but not outside the site to the public Internet. Site-local addresses may be differentiated from link-local addresses by having a tenth bit of “1” following the nine starting address bits common to all private IPv6 addresses. Thus, Site-local addresses begin with “1111 1110 11”. In hexadecimal, site-local addresses begin with “FE” and then “C” to “F” for the third hex digit. Therefore, these addresses start with “FEC”, “FED”, “FEE” or “FEF”. IPv6 site-local addresses allow data to be sent only to the devices within a site or organization. IPv6 link-local addresses are used only on a particular local link (physical network), typically for special purposes such as address resolution or neighbor discovery. Link-local addresses start with “FE8”, “FE9”, “FEA” or “FEB”.
TPM
In computing, Trusted Platform Module (TPM) is both the name of a published specification detailing a microcontroller that can store secured information, as well as the general name of implementations of that specification. The TPM specification is the work of the TPM Work Group, under the auspices of the Trusted Computing Group.